Security Scanner Agent

The Security Scanner Agent automatically identifies security vulnerabilities in your code and dependencies. It runs on every pull request to catch issues before they reach production.

What It Scans

Code Analysis

SQL injection vulnerabilities
Cross-site scripting (XSS)
Authentication/authorization issues
Secrets and credentials in code
Insecure cryptographic practices
Path traversal vulnerabilities

Dependency Scanning

Known CVEs in packages
Outdated dependencies with security patches
Malicious package detection
License compliance issues

Configuration

agents:
  - name: security-scanner
    template: security-scanner
    triggers:
      pull_request:
        - opened
        - synchronize
      push:
        - main
    config:
      # Severity threshold to report
      min_severity: medium  # low, medium, high, critical

      # Block PR merge on findings
      block_on_findings: true
      block_severity: high

      # Scanning options
      scan_code: true
      scan_dependencies: true
      scan_secrets: true
      scan_containers: false

      # False positive management
      ignore_patterns:
        - "**/test/**"
        - "**/*.test.ts"

      # Custom rules
      custom_rules:
        - id: no-eval
          pattern: "eval\("
          severity: high
          message: "eval() is dangerous and should not be used"

Vulnerability Report

When vulnerabilities are found, the agent posts a detailed report:

## Security Scan Results

🔴 **2 Critical** | 🟠 **5 High** | 🟡 **12 Medium** | 🔵 **3 Low**

### Critical Vulnerabilities

#### CVE-2024-1234: Remote Code Execution in lodash
**Package:** lodash@4.17.20
**Fixed in:** 4.17.21
**CVSS Score:** 9.8

This vulnerability allows remote attackers to execute arbitrary code...

**Remediation:**
\`\`\`bash
npm update lodash
\`\`\`

---

#### SQL Injection in user lookup
**File:** src/api/users.ts:45
**Severity:** Critical

User input is directly concatenated into SQL query...

**Current code:**
\`\`\`typescript
const query = `SELECT * FROM users WHERE id = ${userId}`;
\`\`\`

**Recommended fix:**
\`\`\`typescript
const query = 'SELECT * FROM users WHERE id = $1';
await db.query(query, [userId]);
\`\`\`

Severity Levels

| Level | Description | Action | |-------|-------------|--------| | Critical | Actively exploitable, immediate risk | Block merge, fix immediately | | High | Significant risk, exploitable | Block merge, prioritize fix | | Medium | Potential risk, limited exposure | Review and plan fix | | Low | Minor risk, informational | Document and track |

Secret Detection

The agent scans for accidentally committed secrets:

API keys (AWS, GCP, Azure, Stripe, etc.)
Private keys and certificates
Database connection strings
OAuth tokens
Password patterns

When detected:

The PR is blocked
A warning is posted
Instructions for secret rotation are provided

Compliance Checks

Enable compliance scanning for:

OWASP Top 10
CWE Top 25
PCI DSS requirements
SOC 2 controls

config:
  compliance:
    - owasp-top-10
    - cwe-top-25

Integration with CI/CD

The security scanner integrates with your CI/CD pipeline:

# GitHub Actions example
- name: BambooSnow Security Scan
  uses: bamboosnow/security-scan@v1
  with:
    api_key: ${{ secrets.BAMBOOSNOW_API_KEY }}
    fail_on_severity: high